The long awaited and, one hopes, much prepared for new General Data Protection Regulations (GDPR) are just a few short months away from becoming law. To help companies look at the practical steps they need to take now in order to be ready, Pillsbury will be presenting “#ReadyforGDPR?” on February 20 from Noon – 1:00pm EST. We will discuss how these new laws will significantly impact companies doing business in Europe, even those without a physical EU presence, and the latest feedback from enforcers as to what will trigger fines. We hope you can join!
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (a.k.a. the General Data Protection Regulation or GDPR) will, as most business people are probably aware of by now, come into force across the EU on 25 May 2018.
This will be the case in the UK (notwithstanding Brexit) and every other member state, since EU regulations have direct applicability. In other words, they do not need an act of parliament in the member state to make them into law. By contrast, EU directives are not directly applicable. When passed they still need legislation to be passed before they become part of national law. The current regime of the 1995 Data Protection Directive, and the UK’s Data Protection Act of 1998, both of which are due to be replaced next year, are good examples of this.
To complete the picture, from a UK regulatory perspective, in terms of what is changing, the government has introduced a Data Protection Bill which is currently passing through parliament. The Bill does not replace GDPR in the UK. Instead it seeks to make the UK’s own data protection laws “fit for purpose” in a digital age, replacing 1998 Act and, amongst other things, implementing the “GDPR standards across all general data processing”.
Those of us who have been grappling with how best to approach GDPR compliance in outsourcing and other commercial contracts will be all too familiar with Article 28 of the GDPR. Article 28.3 builds on the limited obligations that existed under the existing regime but also include some significant enhancements to the minimum processor obligations to be addressed head on in the contract.
Processor’s obligation to notify infringing instructions
One requirement of Article 28.3 in particular, has provided clients and counsel alike with a degree of angst since the final draft of the GDPR was published in May 2016, and further back still for those of us who had followed the negotiations and multiple redrafts of the GDPR prior to its final publication.
The UK Government has published a statement of intent containing details of its proposed Data Protection Bill. The full text of the Bill is expected in September 2017, when the UK Parliament returns from its summer break.
The Bill will enshrine the EU General Data Protection Regulation (GDPR) into UK domestic law. It will also implement the requirements of EU Directive 2016/680 (The Law Enforcement Directive) which covers the processing of personal data for crime prevention, and the free movement of such data.
Why is a UK bill needed?